Tag | LDAP Posts

As many of you may already know that, I'm working at a global gaming and entertainment company taking the responsible for design and implement the next generation platform which will be running on the cloud, and also design the cloud platform as well. Currently one of the goal is to replace the active directory integrated security and identity solution with certificate-based solution in our product. In short, we need to work with Active Directory Certificate Service to request and issue the certificates ...
© 2011 By: Dov Trietsch. All rights reserved finding a person in the forest or Limiting the AD result in SharePoint People Picker There are times when we need to limit the SharePoint audience of certain farms or servers or site collections to a particular audience. One of my experiences involved limiting access to US citizens, another to a particular location. Now, most of us – your humble servant included – are not Active Directory experts – but we must be able to handle the “audience restrictions” ...
Initial troubleshooting As always, one of the first things to check is the event viewer to see if an event was generated detailing the error. Additionally check the %windir%\debug for the adamsetup.log and adamuninstall.log (this last one is only created during the uninstall process). These two logs will tell you where the setup is failing and what should be checked. It also pays to know that setup errors are written to the registry. If you cannot find the following key there was no failure as the ...
LDAP is not Active Directory, though Active Directory is LDAP. As someone who drinks the Microsoft Kool-Aid, I found myself using LDAP for something other than Active Directory and I thought I should share what I have found. The problem domain was to connect a new MVC application to an existing Sun One LDAP Store. First off, authenticating an MVC application using forms mode authentication and the Membership providers is straight forward. Start with the ASP.NET MVC 2 Web Application Template that ...
In a previous post, I wrote about how to get LDAP authentication working in Collabnet. By default, all LDAP users are put into the Users role on the server. For most purposes, this is just fine, and I don’t have a way to change this. The documentation gives hints that you can add them to other roles, but for now, I don’t have the need. However, adding permissions to different repositories is a different question. To add them, go to the repositories list, select Access Rules and then you can enter ...
We want to use both subversion usernames and passwords as well as Active Directory for our authentication on our Collabnet subversion server. This has proven to be more of a challenge than we thought, mostly because Collabnet’s documentation is weak in this area. To supplement that documentation, I add my own. The first thing to understand is that the attribute that you specify in the LDAP Login Attribute ONLY applies to lookups done for the user. It does NOT apply to the LDAP Bind DN field. Second, ...
I've installed SharePoint 2010 and create first site collection. When I try to specify Target Audience for Announcements webpart in Home page via WebPart Properties, there is no "Target Audience" option. When I did google, articles which specifies how to set Target Audience for List. But that's not what I need. This article will explain how to get Target Audience for webpart in SharePoint 2010 sites. How to specifiy Target Audience for Webpart in SharePoint 2010? Well, It's obvious that free versions ...
Most of the time, I get question from new friends who work in other technologies that "SharePoint is for Content Management/WebSite Creation?". Well, it's common because SharePoint is sucessor of Microsoft Content Management Server (CMS) which dedicatedly used for Web Content Management. SharePoint Portal 2001 predominantly focus on Content Management feature, whereas the later releases came with more features. It's very easy to create Colloboration portal with SharePoint in Minutes where it requires ...
Form Based Authentication (FBA) is great when exposing SharePoint on the internet or extranet, users don’t have to know the domain they are authenticating to, you can manage the authentication using LDAP or SQL database amongst other cool stuff. But during the configuration process you end-up disabling the Integrated Windows Authentication (IWA) because you want your users to be provided with an FBA page. Once you disable the IWA you get the following notification If Windows authentication is not ...
"Can I have 1,000s of MSMQ queues?" Yes, of course you can. "Is it a good idea to?" Maybe not. The queues themselves do not take up many resources: In memory - each ACTIVE queue is about 400 bytes (over half of which is kernel memory). On disk - each queue has a configuration file (in the \msmq\storage\lqs directory) and these are only 1-2kb each. So a thousand queues - all containing a single message, for argument's sake - are not going to be much of an overhead on an MSMQ machine. The problem may ...
Cuando se trabaja con LDAP desde asp.net, para el manejo de usuarios, es imprescindible brindar al usuario la posibilidad de poder cambiar su contraseña, así que usaremos un pequeño código que nos ayudará a realizarlo Private Sub ChangeUserADPassword(ByVal Username As String, ByVal Password As String, ByVal newPwd As String) Dim dcDNS As String = "whatever.com" Dim rootDN As String Dim rootDSE As DirectoryEntry Dim searchRoot As DirectoryEntry Dim userEntry As DirectoryEntry Dim searcher As DirectorySearcher ...
Worked on a CRM which had a need to limit the users that could be chosen to a specific OU. This should be simple enough with the CRM deployment config tool following these instructions: http://support.microsoft.co... However it did NOT work. The error I got was: Command failed with the following message: The parameter does not start with '-'; The command I used that gave me this error was Microsoft.Crm.DeploymentCon... userorgsettings update -organization:<ORG_NAME> -propertyname:UserRootPath ...
In my inital announcement I could only cover a small subset what ApiChange can do for you. Lets look at how ApiChange can help you to fix bugs due to wrong usage of an Api within a fraction of time than it would take normally. It happens that software is tested and some bugs show up. One bug could be …. : We get way too man log messages during our test run. Now you have the task to find the most frequent messages and eliminate the Log calls from the source code. But what about the myriads other log ...
Here are a few one-liners that use NetCmdlets. Some of these I've blogged about before, some are new. Let me know if you have questions, which ones you find useful, or how you altered these to suit your own needs. Send email to a list of recipient addresses: import-csv users.csv | % { send-email -to $_.email -from lance@nsoftware.com -subject "Important Email" –message "Hello World!" -server 10.0.1.1 } Show the access control list for a specific Exchange folder: get-imap -server $mymailserver -cred ...
Recently while making some changes for a client, I accidently dug myself into a pretty deep hole. I was trying to explicitly deny a certain user from reading a few group policies including the Default Domain Policy. When I went in to make the change I accidently denied Authenticated Users rather than the AD user object. This of course made the GPO inaccessible to all users including any with domain admin rights. The policy could no longer be modified in the GPMC and worse, changes could not be made ...
Here are a few one-liners that use NetCmdlets. Some of these I've blogged about before, some are new. Let me know if you have questions, which ones you find useful, or how you altered these to suit your own needs. Send email to a list of recipient addresses: import-csv users.csv | % { send-email -to $_.email -from lance@nsoftware.com -subject "Important Email" –message "Hello World!" -server 10.0.1.1 } Show the access control list for a specific Exchange folder: get-imap -server $mymailserver -cred ...
This week, I had a pretty strange request. An organization wanted to host multiple Email domains in their Exchange environment while keeping it hidden from external mail users and outside parties. Same organization was ok, same AD and Exchange servers were not. The mail flow portion was pretty simple. Added a new accepted domain to Exchange 2007, to the spam filter appliance, configure LDAP for this new SMTP domain, and change the primary email address for certain users. I used an email policy that ...
When passwords are set to expire after a certain number of days in Active Directory, the remote users suffer because they do not get a notification like the local users do that their password is going to expire. Eventually, it becomes too late for them to change their passwords and they get locked out. I found this out recently and did not believe that there was no built in support for this. I started researching and indeed, there was no built in support. The solution was to email the users, either ...
This post is the fourth in a series of postings, containing examples of SharePoint WebParts that anybody can build all by themselves. To read all posts in this series, or to get started with the RSSBus WebPart, go here. #4 – List Active Directory Groups and Users This web part will list each user group and its members, as defined in your Active Directory (or other LDAP server) installation. Step one is to make sure you have the RSSBus Web Part installed. See here for instructions. Step two, make ...
Its been quite a bit of struggle for me to find an accurate way of finding the netbios name of a domain from AD using System.DirectoryServices. In case you are in the same jam here how you do it. Connect to AD using the following ldap url: LDAP://CN=Partitions,CN=Con... When querying AD using the Directory Searcher object uses the following filter: netbiosname=* This should give you a record from AD containing the netbios name of the domain as the ...
I saw Jeff Hicks’ great Get-LocalMember post this morning, in which he has extensive demonstration of retrieving information about AD group members. I thought it might be a good time to show some of the power of the get-ldap cmdlet. Yes, using the get-ldap cmdlet does require familiarity with the LDAP protocol itself, so in this way it is for more advanced users who just need to do quick LDAP operations without a lot of required coding and with just one universal cmdlet. So, how do I list the group ...
We're removing WINS from our environment. Don't ask me why, I'm not a big fan of the idea... but they don't pay me to make decisions, they pay me to make things work. Things work fine without WINS, once you've joined the domain, DNS takes it all over and everything works. However, we have a utility that does most of those tasks needed to join a machine to the domain -- creates an INI file used to create the machine account, renames the machine to meet our standards, and does the join (among other ...
So my exchange server stopped working along with the web server and such, and system attendant started hanging in startup. I searched for the problem and really didn't find anything useful until I found a single forum response that solved the problem. Here's the error message I was seeing in the event viewer: Process MSEXCHANGEADTOPOLOGYSERVICE... (PID=3392). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified ...
Kevin posted an interesting comment to my last post about how to setup HTTP authentication on Windows Vista and that was that this sort of thing should be built into SSAS itself. While this is not a bad idea, I don't know if it would be high on the list of things that I would like to see added to SSAS. I don't have a written list as such, but here are few things off the top of my head that I would like to see in future versions. After I compiled this list I searched the connect site and added links ...
The userAccountControl attribute is used to control the access of a user account. This value can be set to the bitwise OR of a set of flag values, documented here: Property flag Value in hexadecimal Value in decimal SCRIPT 0x0001 1 ACCOUNTDISABLE 0x0002 2 HOMEDIR_REQUIRED 0x0008 8 LOCKOUT 0x0010 16 PASSWD_NOTREQD 0x0020 32 PASSWD_CANT_CHANGE Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, ...
PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree -search "(&(objectclass=user)(o... Again, there's no need for dozens of LDAP cmdlets. The two LDAP cmdlets included in NetCmdlets, get-ldap and set-ldap, are all you need for most tasks. The above command shows how you would search for disabled user accounts with the get-ldap cmdlet. Technorati Tags: PowerShell, LDAP, Active directory, ...
In my previous posts about LDAP group membership, I've talked about how to get a list of groups, how to search for a particular groups members, and how to search for what groups a particular user belongs to. Up next: how to change group membership. To add or remove a user from a group, you need to modify the "member" attribute of the group itself. To do this we'll use the set-ldap cmdlet of NetCmdlets. Add a user to a group: To add a user to a group, set the DN parameter of set-ldap to the DN of ...
In the last LDAP series post, I mentioned how to search for the members of a group. Now the opposite, here's how to search for what groups a particular user is a part of: To do this search, all I do is form a search filter that is searching for all groups that has a particular member in it. So really this is a slight alteration of the search for all groups. PS C:\> get-ldap -server testboy -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree -search "(&(member=CN=Lance Robinson,CN=Users,DC=JUNGLE... ...
More with the ldap cmdlets in NetCmdlets, here's how to list the members of a particular group. I used the get-ldap command shown in the last post to get a list of all my admin groups, and save it in a $groups collection: PS C:\> $groups = get-ldap -server myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree -search "(&(objectclass=group)(... PS C:\> $groups Host DN ---- -- testboy CN=Administrators,CN=Builti... testboy CN=Schema Admins,CN=Users,DC=JUNGLE testboy ...
NetCmdlets doesn't have a long list of Active Directory cmdlets for PowerShell. Instead, it has 2. And they aren't AD specific - they just implement the LDAP protocol itself so they can work with any LDAP server, Active Directory or not. Two cmdlets are all that is needed to make common tasks simple. One for setting values (set-ldap), and one for getting values (get-ldap). Here's how I can retrieve a list of all the "admin" groups: PS C:\> get-ldap -server myserver -cred $mycred -dn dc=JUNGLE ...
By default Office SharePoint Server 2007 imports all profiles from the Active Directory Database. This presents an issue for some companies (mine in particular ;)). After doing some searching I found an older article by Michael Bollhoefer. He tipped me off to the following LDAP filter which worked beautifully, and after running a full profile import and reindexing our SharePoint Search those old Inactive profiles were gone from the Database and the search. (&(objectCategory=perso... ...
Earlier this week, Microsoft rather quietly released it's Windows Live Hotmail offering. Along with the release, a replacement for the Outlook Express and Windows Mail desktop clients was announced as well as new software to integrate web mail with Outlook, called the Outlook Internet Mail Connector. Outlook Express and Windows Mail will be replaced with a new desktop product called Windows Live Mail in the coming weeks. The program will handle POP, IMAP, and Windows Live Hotmail accounts and is ...
In Scenario1 I blogged how to get Certificate using the X509Store Class. Where I used something like this.X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); But after spending a bit of time with the X509Store I realized it has limitations. The StoreLoacation enum has only 2 options: CurrentUser: The X.509 certificate store used by the current user. LocalMachine: The X.509 certificate store assigned to the local machine. But I wanted to Load Certificate from a Remote LDAP Server... ...
I found my more detailed notes on the package flags. A couple of corrections: The flag “524288” specifically tells whether an app is published or assigned – it’s set for assigned, unset for published. 8 is typically set for published apps and cleared for assigned. I promised code. private void SearchAD(string target, string policy, string policyname) { DirectoryEntry entry = null; try { entry = new DirectoryEntry(policy); } catch (COMException Ex) { toolStripStatusLabel1.Text = "Couldn't connect ...
Sorry about the delay. Last time I dug into the SYSVOL portion of app distribution via Group Policy. This time, the Active Directory side. I'm sure you already know that the net result of GP distribution is that if the user is in the appropriate group, the app appears in Add/Remove programs. The file on the Sysvol is important -- we've seen cases where for some reason the .AAS file disappeared; when it did, the app stopped appearing in Add/Remove Programs. The other half is, of course, in Active ...
My newest project at work, as a Web System's Analyst has been to evaluate, aquire, install and configure a Web Application for tracking Issues or Problems provided by Computer Services for 150 to 200 users. IssueTrak 7.0 by Global Support Software is a Web App consisting of SQL Server, Stored Procs, Active Server Pages, CSS, scripting. When you aquire IssueTrak, you also need SQL Server 2005 with the Management tool so you can manage the database, run scripts, and create and schedule jobs. I customized ...
Here's how you can change your active directory (or other ldap server) password with the set-ldap cmdlet in /n software NetCmdlets. Also, recently I also showed how to this using the IP*Works! SSL LdapS dev component. PS C:\> set-ldap -server myserver -binddn Domain\Administrator -password admin -dn "cn=BillyBob,ou=Employees,d... -newpassword mynewpassword -ssl implicit Update: the -password parameter is now a secure string. There is also a -credential parameter. So the cmd to change the ...
Previously with NetCmdlets, authentication details were only accepted using plain text parameters. This is still supported, but now these cmdlets support PSCredentials through a new -credentials parameter. This works for almost all of the cmdlets included in NetCmdlets, like FTP, LDAP, HTTP, SMTP, Rexec, RSS, IM, SMS, SSH, etc. Here's an example with get-ldap. Before, you had to bind to the directory server using plain text parameters, like this: PS C:\> get-ldap -server testboy -binddn mydomain\admin ...
MOW's "PowerShelled" blog is another awesome PowerShell resource. Of particular interest to me was MOWs series on PowerShell and Active Directory. He used the .Net System.DirectoryServices classes to do all the work. here is how you can use /n software's LDAP cmdlet to manage directory servers like AD. The LDAP cmdlet supports plain connections as well as secure SSL connections. The LDAP cmdlet will work with any directory server, including AD, ADAM, OpenLDAP, Novell, etc. The LDAP cmdlet uses its ...
Last year I posted the rules about how to remotely change your LDAP password. Its not very obvious because of the fact that the procedure depends on what server you're using (Active Directory, OpenLDAP, Novell, etc), and even then how your server is configured. Here is how you would change your password using the LDAPS component of IP*Works!! SSL (note, an SSL connection is required in order to change your password remotely if you are an Active Directory user. Otherwise you can do this with the LDAP ...
.Net Directory Services Programming – C# - Part 3 Topics DirectorySearcher – the other critical class in the DirectoryServices namespace. Review Because a lot of your Directory Services (DS) development will involve querying DS for data, it makes sense that this is a powerful class offered in the namespace, and below are some of the features: DirectorySearcher – Performs the initial queries against AD SearchResult – A single object reference from a search performed by DirectorySearcher ...
This article explains how to add the users to a PDL programmatically. In large organizations, most of the employees may belong to more than one project project/work groups. Each project/workgroup maintains a separate distribution list for communicating with its members. As number of members in a workgroup increases, maintaining the PDL becomes an overhead. One way to do it is to automate the process In this process, official email-id of the all members are entered in a text file. We will read from ...
For Authorization we had the requirements that we had to be able to easily assign a specific user to a certain "role" and they would have all the priveledges associated with that role. We had to be able to make users members of multiple roles. We also had to be able to configure what specific priveledges belonged to each role. In addition, we had to be able to assign a specific user to a specific role, but then also give them access to one or more specific priviledges in addition to those granted ...
I've been looking for and testing many different Content Management Systems and this one takes the cake. On top of offering top noch workflow management, Active Directory and LDAP Integration, it has a concept called "Smart Spaces". This allows the administrator to easily control security by creating rules on each space (folders) that allow, deny, or direct content to another location. I have a very large collection of electronic documentation, such as word documents and PDF files. The Alfreso search ...
Here is a quick Vbscript that can be used to create roles in ADAM. I suppose you can also use Ldifde but, I get lazy formatting the .LDF file, etc. So here is what this script does: It calls the input file specified when executing the script. (e.g. cscript CreateADAMRoles.vbs ) It reads the input file, and begins the loop line by line until the end of the file. During each loop, it performs the following ADSI routines. Connects to LDAP defined within the Global Settings. (e.g. LDAP://localhost:389/cn=rol... ...

I've been running several searches against a GDS LDAP directory - and
the Timeout and ServerTimeLimit properties of the DirectorySearcher
class appear to have no effect.

After further testing I've discovered that the problem is caused because I was using sub second timeout periods eg 500ms - and the LDAP server I'm accessing (GDS) only supports timeout periods of whole number seconds.

HTH

Tim

You have got to go check out these documents just posted by Microsoft on their press release page. My favorite quote: "In short, the Statement of Objections claims Microsoft has failed to create Technical Documentation that the Commission did not read, and for which no competitor has sought a license, all to address a problem about which no customer has ever complained."
No rest for the wicked! My first week back has meant clocking up the miles and visiting vendors and attending meetings. One of the software vendors I went to visit was Sybase at their Maidenhead office and particularly their mobility division. I would like to thank Ian Matthews and Tim Roberts for there hospitality. The day visit was a deep dive into the Afaria mobility management product. Afaria, if you have done your homework, is the pretty much the market leader in the mobility management space ...

I added a small feature so that if you don't know what DN to bind to and your directory server is Active Directory, you can click on a little "?" button and the application will attempt to discover a root binding DN for you.

Updated copy of the LDAP browser (c# source code and compiled exe) can be downloaded here.

Custom Properties in AD , Open DirectorySearcher Queries and Large LDAP Queries QUESTION Mike, I am new to AD and LDAP but have programmed the last couple of years in C#. I have read your articles. I am trying to write a program that will go in and check three columns in a User OU for each of the objects in that OU. I need to check the sAMAccountName, EmployeeNumber and UIDNumber. I have to make sure that the EN and the UID are the same but they must be different than the sAMAccountName. I then must ...